Mint access token

Visibility: public · internal ( OpenAPI Custom Extension: x-visibility )

Exchange a credential for a self-contained JWT access token. This endpoint proxies to the underlying identity provider for token issuance.

Three grant types are supported:

authorization_code — Interactive user session. Exchanges an authorization code obtained from the OAuth2 /authorize flow.

api_key — Programmatic access via an API key. The caller presents the opaque, prefixed API key token. Effective privileges are evaluated as the intersection of the key's role list (if set) and the creating user's current roles within the key's scope.

client_credentials — Service account authentication. The caller presents a client_id and client_secret pair. Effective privileges are the service account's directly assigned roles within its scope.

All grant types support optional scope narrowing at mint time: the caller can request a narrower scope and/or a subset of roles for the issued token. The requested scope must be at or below the credential's scope in the resource hierarchy, and the requested roles must be a subset of the credential's effective roles.

curl -X POST "https://api.k0rdent.ai/v1/regions/global/auth/token" \  -H "Content-Type: application/json" \  -d '{    "grant_type": "authorization_code",    "code": "string",    "redirect_uri": "http://example.com"  }'

{
  "access_token": "string",
  "token_type": "Bearer",
  "expires_in": 900,
  "refresh_token": "string"
}

{
  "error": {
    "code": 0,
    "message": "string",
    "details": [
      {}
    ]
  }
}

{
  "error": {
    "code": 0,
    "message": "string",
    "details": [
      {}
    ]
  }
}

{
  "error": {
    "code": 0,
    "message": "string",
    "details": [
      {}
    ]
  }
}

{
  "error": {
    "code": 0,
    "message": "string",
    "details": [
      {}
    ]
  }
}